Managing user privileges for computer resources in a networked computing environment

ABSTRACT

Approaches for automatically managing user privileges for computer resources based on determined levels of expertise in a networked computing environment (e.g., a cloud computing environment) are provided. In a typical approach, a user profile associated with a prospective user of a set of computer resources in the networked computing environment may be accessed. The user profile may include information pertaining to a skill level of the prospective user with respect to the set of computer resources. Based on the information contained in the user profile, an expertise level of the prospective user with respect to the set of computer resources may be determined, and a corresponding score may be calculated. Based on the score, a level of user privileges for the set of computer resources may be provided.

TECHNICAL FIELD

In general, embodiments of the present invention relate to userprivilege management. Specifically, embodiments of the present inventionrelate to the management of user privileges for computer resources in anetworked computing environment (e.g., a cloud computing environment).

BACKGROUND

The networked computing environment (e.g., cloud computing environment)is an enhancement to the predecessor grid environment, whereby multiplegrids and other computation resources may be further enhanced by one ormore additional abstraction layers (e.g., a cloud layer), thus makingdisparate devices appear to an end-consumer as a single pool of seamlessresources. These resources may include such things as physical orlogical computing engines, servers and devices, device memory, andstorage devices, among others.

A cloud environment makes it easy for cloud providers to automate theprovisioning of resources such as standardized server and desktop imagesfor end users. This automation is an important benefit of cloudcomputing, as provisioning standardized resources does not typicallyrequire much customization and configuration. Challenges may exist,however, in that not all cloud consumers are at the same skill level,and therefore not all users should be granted the same usage privileges.Currently, the management of a user's privilege level is a manualprocess whereby a review of the user's expertise is manually performedand a corresponding privilege given based on what an administratorbelieves is appropriate. Given that many organizations have a largenumber of users whose expertise levels may change over time, such manualprocesses may be time consuming and inefficient.

SUMMARY

In general, aspects of the present invention relate to an approach forautomatically managing user privileges for computer resources based ondetermined levels of expertise in a networked computing environment(e.g., a cloud computing environment). In a typical embodiment, a userprofile associated with a prospective user of a set of computerresources in the networked computing environment may be accessed. Theuser profile may comprise information pertaining to a skill level of theprospective user with respect to the set of computer resources. Based onthe information contained in the user profile, an expertise level of theprospective user with respect to the set of computer resources may bedetermined, and a corresponding score may be calculated. Based on thescore, a level of user privileges for the set of computer resources maybe provided. In addition, a user interface operated by the user toutilize the set of computer resources may be modified according to theuser's determined level of expertise and/or privileges.

A first aspect of the present invention provides a computer-implementedmethod for managing user privileges for computer resources in anetworked computing environment, comprising: accessing, in a computerstorage device, a user profile associated with a prospective user of aset of computer resources in the networked computing environment, theuser profile comprising information pertaining to a skill level of theprospective user with respect to the set of computer resources;determining an expertise level of the prospective user with respect tothe set of computer resources based on the information contained in theuser profile; calculating a score based on the expertise level; andproviding a level of user privileges for the set of computer resourcescommensurate with the score.

A second aspect of the present invention provides a system for managinguser privileges for computer resources in a networked computingenvironment, comprising: a bus; a processor coupled to the bus; and amemory medium coupled to the bus, the memory medium comprisinginstructions to: access, in a computer storage device, a user profileassociated with a prospective user of a set of computer resources in thenetworked computing environment, the user profile comprising informationpertaining to a skill level of the prospective user with respect to theset of computer resources; determine an expertise level of theprospective user with respect to the set of computer resources based onthe information contained in the user profile; calculate a score basedon the expertise level; and provide a level of user privileges for theset of computer resources commensurate with the score.

A third aspect of the present invention provides a computer programproduct for managing user privileges for computer resources in anetworked computing environment, the computer program product comprisinga computer readable storage media, and program instructions stored onthe computer readable storage media, to: access, in a computer storagedevice, a user profile associated with a prospective user of a set ofcomputer resources in the networked computing environment, the userprofile comprising information pertaining to a skill level of theprospective user with respect to the set of computer resources;determine an expertise level of the prospective user with respect to theset of computer resources based on the information contained in the userprofile; calculate a score based on the expertise level; and provide alevel of user privileges for the set of computer resources commensuratewith the score.

A fourth aspect of the present invention provides a method for deployinga system for managing user privileges for computer resources in anetworked computing environment, comprising: providing a computerinfrastructure being operable to: access, in a computer storage device,a user profile associated with a prospective user of a set of computerresources in the networked computing environment, the user profilecomprising information pertaining to a skill level of the prospectiveuser with respect to the set of computer resources; determine anexpertise level of the prospective user with respect to the set ofcomputer resources based on the information contained in the userprofile; calculate a score based on the expertise level; and provide alevel of user privileges for the set of computer resources commensuratewith the score.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features of this invention will be more readilyunderstood from the following detailed description of the variousaspects of the invention taken in conjunction with the accompanyingdrawings in which:

FIG. 1 depicts a cloud computing node according to an embodiment of thepresent invention.

FIG. 2 depicts a cloud computing environment according to an embodimentof the present invention.

FIG. 3 depicts abstraction model layers according to an embodiment ofthe present invention.

FIG. 4 depicts a system diagram according to an embodiment of thepresent invention.

FIG. 5 depicts a process flow diagram according to an embodiment of thepresent invention.

FIG. 6 depicts a method flow diagram according to an embodiment of thepresent invention.

The drawings are not necessarily to scale. The drawings are merelyschematic representations, not intended to portray specific parametersof the invention. The drawings are intended to depict only typicalembodiments of the invention, and therefore should not be considered aslimiting the scope of the invention. In the drawings, like numberingrepresents like elements.

DETAILED DESCRIPTION

Illustrative embodiments will now be described more fully herein withreference to the accompanying drawings, in which embodiments are shown.This disclosure may, however, be embodied in many different forms andshould not be construed as limited to the embodiments set forth herein.Rather, these embodiments are provided so that this disclosure will bethorough and complete and will fully convey the scope of this disclosureto those skilled in the art. In the description, details of well-knownfeatures and techniques may be omitted to avoid unnecessarily obscuringthe presented embodiments.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of this disclosure.As used herein, the singular forms “a”, “an”, and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. Furthermore, the use of the terms “a”, “an”, etc., do notdenote a limitation of quantity, but rather denote the presence of atleast one of the referenced items. The term “set” is intended to mean aquantity of at least one. It will be further understood that the terms“comprises” and/or “comprising”, or “includes” and/or “including”, whenused in this specification, specify the presence of stated features,regions, integers, steps, operations, elements, and/or components, butdo not preclude the presence or addition of one or more other features,regions, integers, steps, operations, elements, components, and/orgroups thereof.

As indicated above, aspects of the present invention relate to anapproach for automatically managing user privileges for computerresources based on determined levels of expertise in a networkedcomputing environment (e.g., a cloud computing environment). In atypical embodiment, a user profile associated with a prospective user ofa set of computer resources in the networked computing environment maybe accessed. The user profile may comprise information pertaining to askill level of the prospective user with respect to the set of computerresources. Based on the information contained in the user profile, anexpertise level of the prospective user with respect to the set ofcomputer resources may be determined, and a corresponding score may becalculated. Based on the score, a level of user privileges for the setof computer resources may be provided. In addition, a user interfaceoperated by the user to utilize the set of computer resources may bemodified according to the user's determined level of expertise and/orprivileges.

It is understood in advance that although this disclosure includes adetailed description of cloud computing, implementation of the teachingsrecited herein are not limited to a cloud computing environment. Rather,embodiments of the present invention are capable of being implemented inconjunction with any other type of computing environment now known orlater developed.

Cloud computing is a model of service delivery for enabling convenient,on-demand network access to a shared pool of configurable computerresources (e.g. networks, network bandwidth, servers, processing,memory, storage, applications, virtual machines, and services) that canbe rapidly provisioned and released with minimal management effort orinteraction with a provider of the service. This cloud model may includeat least five characteristics, at least three service models, and atleast four deployment models.

Characteristics are as follows:

On-demand self-service: a cloud consumer can unilaterally provisioncomputing capabilities, such as server time and network storage, asneeded, automatically without requiring human interaction with theservice's provider.

Broad network access: capabilities are available over a network andaccessed through standard mechanisms that promote use by heterogeneousthin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Resource pooling: the provider's computer resources are pooled to servemultiple consumers using a multi-tenant model, with different physicaland virtual resources dynamically assigned and reassigned according todemand. There is a sense of location independence in that the consumergenerally has no control or knowledge over the exact location of theprovided resources but may be able to specify location at a higher levelof abstraction (e.g., country, state, or datacenter).

Rapid elasticity: capabilities can be rapidly and elasticallyprovisioned, in some cases automatically, to quickly scale out andrapidly released to quickly scale in. To the consumer, the capabilitiesavailable for provisioning often appear to be unlimited and can bepurchased in any quantity at any time.

Measured service: cloud systems automatically control and optimizeresource use by leveraging a metering capability at some level ofabstraction appropriate to the type of service (e.g., storage,processing, bandwidth, and active consumer accounts). Resource usage canbe monitored, controlled, and reported providing transparency for boththe provider and consumer of the utilized service.

Service Models are as follows:

Software as a Service (SaaS): the capability provided to the consumer isto use the provider's applications running on a cloud infrastructure.The applications are accessible from various client devices through athin client interface such as a web browser (e.g., web-based email). Theconsumer does not manage or control the underlying cloud infrastructureincluding network, servers, operating systems, storage, or evenindividual application capabilities, with the possible exception oflimited consumer-specific application configuration settings.

Platform as a Service (PaaS): the capability provided to the consumer isto deploy onto the cloud infrastructure consumer-created or acquiredapplications created using programming languages and tools supported bythe provider. The consumer does not manage or control the underlyingcloud infrastructure including networks, servers, operating systems, orstorage, but has control over the deployed applications and possiblyapplication-hosting environment configurations.

Infrastructure as a Service (IaaS): the capability provided to theconsumer is to provision processing, storage, networks, and otherfundamental computer resources where the consumer is able to deploy andrun arbitrary software, which can include operating systems andapplications. The consumer does not manage or control the underlyingcloud infrastructure but has control over operating systems, storage,deployed applications, and possibly limited control of select networkingcomponents (e.g., host firewalls).

Deployment Models are as follows:

Private cloud: the cloud infrastructure is operated solely for anorganization. It may be managed by the organization or a third party andmay exist on-premises or off-premises.

Community cloud: the cloud infrastructure is shared by severalorganizations and supports a specific community that has shared concerns(e.g., mission, security requirements, policy, and complianceconsiderations). It may be managed by the organizations or a third partyand may exist on-premises or off-premises.

Public cloud: the cloud infrastructure is made available to the generalpublic or a large industry group and is owned by an organization sellingcloud services.

Hybrid cloud: the cloud infrastructure is a composition of two or moreclouds (private, community, or public) that remain unique entities butare bound together by standardized or proprietary technology thatenables data and application portability (e.g., cloud bursting forload-balancing between clouds).

A cloud computing environment is service oriented with a focus onstatelessness, low coupling, modularity, and semantic interoperability.At the heart of cloud computing is an infrastructure comprising anetwork of interconnected nodes.

Referring now to FIG. 1, a schematic of an example of a cloud computingnode is shown. Cloud computing node 10 is only one example of a suitablecloud computing node and is not intended to suggest any limitation as tothe scope of use or functionality of embodiments of the inventiondescribed herein. Regardless, cloud computing node 10 is capable ofbeing implemented and/or performing any of the functionality set forthhereinabove.

In cloud computing node 10, there is a computer system/server 12, whichis operational with numerous other general purpose or special purposecomputing system environments or configurations. Examples of well-knowncomputing systems, environments, and/or configurations that may besuitable for use with computer system/server 12 include, but are notlimited to, personal computer systems, server computer systems, thinclients, thick clients, hand-held or laptop devices, multiprocessorsystems, microprocessor-based systems, set top boxes, programmableconsumer electronics, network PCs, minicomputer systems, mainframecomputer systems, and distributed cloud computing environments thatinclude any of the above systems or devices, and the like.

Computer system/server 12 may be described in the general context ofcomputer system-executable instructions, such as program modules, beingexecuted by a computer system. Generally, program modules may includeroutines, programs, objects, components, logic, data structures, and soon that perform particular tasks or implement particular abstract datatypes. Computer system/server 12 may be practiced in distributed cloudcomputing environments where tasks are performed by remote processingdevices that are linked through a communications network. In adistributed cloud computing environment, program modules may be locatedin both local and remote computer system storage media including memorystorage devices.

As shown in FIG. 1, computer system/server 12 in cloud computing node 10is shown in the form of a general-purpose computing device. Thecomponents of computer system/server 12 may include, but are not limitedto, one or more processors or processing units 16, a system memory 28,and a bus 18 that couples various system components including systemmemory 28 to processor 16.

Bus 18 represents one or more of any of several types of bus structures,including a memory bus or memory controller, a peripheral bus, anaccelerated graphics port, and a processor or local bus using any of avariety of bus architectures. By way of example, and not limitation,such architectures include Industry Standard Architecture (ISA) bus,Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, VideoElectronics Standards Association (VESA) local bus, and PeripheralComponent Interconnects (PCI) bus.

Computer system/server 12 typically includes a variety of computersystem readable media. Such media may be any available media that isaccessible by computer system/server 12, and it includes both volatileand non-volatile media, removable and non-removable media.

System memory 28 can include computer system readable media in the formof volatile memory, such as random access memory (RAM) 30 and/or cachememory 32. Computer system/server 12 may further include otherremovable/non-removable, volatile/non-volatile computer system storagemedia. By way of example only, storage system 34 can be provided forreading from and writing to a non-removable, non-volatile magnetic media(not shown and typically called a “hard drive”). Although not shown, amagnetic disk drive for reading from and writing to a removable,non-volatile magnetic disk (e.g., a “floppy disk”), and an optical diskdrive for reading from or writing to a removable, non-volatile opticaldisk such as a CD-ROM, DVD-ROM, or other optical media can be provided.In such instances, each can be connected to bus 18 by one or more datamedia interfaces. As will be further depicted and described below,memory 28 may include at least one program product having a set (e.g.,at least one) of program modules that are configured to carry out thefunctions of embodiments of the invention.

The embodiments of the invention may be implemented as a computerreadable signal medium, which may include a propagated data signal withcomputer readable program code embodied therein (e.g., in baseband or aspart of a carrier wave). Such a propagated signal may take any of avariety of forms including, but not limited to, electro-magnetic,optical, or any suitable combination thereof. A computer readable signalmedium may be any computer readable medium that is not a computerreadable storage medium and that can communicate, propagate, ortransport a program for use by or in connection with an instructionexecution system, apparatus, or device.

Program code embodied on a computer readable medium may be transmittedusing any appropriate medium including, but not limited to, wireless,wireline, optical fiber cable, radio-frequency (RF), etc., or anysuitable combination of the foregoing.

Program/utility 40, having a set (at least one) of program modules 42,may be stored in memory 28 by way of example, and not limitation. Memory28 may also have an operating system, one or more application programs,other program modules, and program data. Each of the operating system,one or more application programs, other program modules, and programdata or some combination thereof, may include an implementation of anetworking environment. Program modules 42 generally carry out thefunctions and/or methodologies of embodiments of the invention asdescribed herein.

Computer system/server 12 may also communicate with one or more externaldevices 14 such as a keyboard, a pointing device, a display 24, etc.;one or more devices that enable a consumer to interact with computersystem/server 12; and/or any devices (e.g., network card, modem, etc.)that enable computer system/server 12 to communicate with one or moreother computing devices. Such communication can occur via I/O interfaces22. Still yet, computer system/server 12 can communicate with one ormore networks such as a local area network (LAN), a general wide areanetwork (WAN), and/or a public network (e.g., the Internet) via networkadapter 20. As depicted, network adapter 20 communicates with the othercomponents of computer system/server 12 via bus 18. It should beunderstood that although not shown, other hardware and/or softwarecomponents could be used in conjunction with computer system/server 12.Examples include, but are not limited to: microcode, device drivers,redundant processing units, external disk drive arrays, RAID systems,tape drives, and data archival storage systems, etc.

Referring now to FIG. 2, illustrative cloud computing environment 50 isdepicted. As shown, cloud computing environment 50 comprises one or morecloud computing nodes 10 with which local computing devices used bycloud consumers, such as, for example, personal digital assistant (PDA)or cellular telephone 54A, desktop computer 54B, laptop computer 54C,and/or automobile computer system 54N may communicate. Nodes 10 maycommunicate with one another. They may be grouped (not shown) physicallyor virtually, in one or more networks, such as private, community,public, or hybrid clouds as described hereinabove, or a combinationthereof. This allows cloud computing environment 50 to offerinfrastructure, platforms, and/or software as services for which a cloudconsumer does not need to maintain resources on a local computingdevice. It is understood that the types of computing devices 54A-N shownin FIG. 2 are intended to be illustrative only and that computing nodes10 and cloud computing environment 50 can communicate with any type ofcomputerized device over any type of network and/or network addressableconnection (e.g., using a web browser).

Referring now to FIG. 3, a set of functional abstraction layers providedby cloud computing environment 50 (FIG. 2) is shown. It should beunderstood in advance that the components, layers, and functions shownin FIG. 3 are intended to be illustrative only and embodiments of theinvention are not limited thereto. As depicted, the following layers andcorresponding functions are provided:

Hardware and software layer 60 includes hardware and softwarecomponents. Examples of hardware components include mainframes. In oneexample, IBM® zSeries® systems and RISC (Reduced Instruction SetComputer) architecture based servers. In one example, IBM pSeries®systems, IBM System X® servers, IBM BladeCenter® systems, storagedevices, networks, and networking components. Examples of softwarecomponents include network application server software. In one example,IBM WebSphere® application server software and database software. In oneexample, IBM DB2® database software. (IBM, zSeries, pSeries, System x,BladeCenter, WebSphere, and DB2 are trademarks of International BusinessMachines Corporation registered in many jurisdictions worldwide.)

Virtualization layer 62 provides an abstraction layer from which thefollowing examples of virtual entities may be provided: virtual servers;virtual storage; virtual networks, including virtual private networks;virtual applications and operating systems; and virtual clients.

In one example, management layer 64 may provide the functions describedbelow. Resource provisioning provides dynamic procurement of computerresources and other resources that are utilized to perform tasks withinthe cloud computing environment. Metering and pricing provide costtracking as resources are utilized within the cloud computingenvironment, and billing or invoicing for consumption of theseresources. In one example, these resources may comprise applicationsoftware licenses. Security provides identity verification for cloudconsumers and tasks, as well as protection for data and other resources.Consumer portal provides access to the cloud computing environment forconsumers and system administrators. Service level management providescloud computing resource allocation and management such that requiredservice levels are met. Service Level Agreement (SLA) planning andfulfillment provides pre-arrangement for, and procurement of, cloudcomputer resources for which a future requirement is anticipated inaccordance with an SLA. Further shown in management layer is userprivilege management, which represents the functionality that isprovided under the embodiments of the present invention.

Workloads layer 66 provides examples of functionality for which thecloud computing environment may be utilized. Examples of workloads andfunctions which may be provided from this layer include: mapping andnavigation; software development and lifecycle management; virtualclassroom education delivery; data analytics processing; transactionprocessing; and consumer data storage and backup. As mentioned above,all of the foregoing examples described with respect to FIG. 3 areillustrative only, and the invention is not limited to these examples.

It is understood that all functions of the present invention asdescribed herein typically may be performed by the user privilegemanagement functionality (of management layer 64, which can be tangiblyembodied as modules of program code 42 of program/utility 40 (FIG. 1).However, this need not be the case. Rather, the functionality recitedherein could be carried out/implemented and/or enabled by any of thelayers 60-66 shown in FIG. 3.

It is reiterated that although this disclosure includes a detaileddescription on cloud computing, implementation of the teachings recitedherein are not limited to a cloud computing environment. Rather, theembodiments of the present invention are intended to be implemented withany type of networked computing environment now known or laterdeveloped.

Referring now to FIG. 4, a system diagram describing the functionalitydiscussed herein according to an embodiment of the present invention isshown. It is understood that the teachings recited herein may bepracticed within any type of networked computing environment 86 (e.g., acloud computing environment 50). A computer system/server 12, which canbe implemented as either a stand-alone computer system or as a networkedcomputer system is shown. In the event the teachings recited herein arepracticed in a networked computing environment 86, each client need nothave a user privilege management engine (engine 70). Rather, engine 70could be loaded on a server or server-capable device that communicates(e.g., wirelessly) with the clients to provide user privilege managementtherefor. Regardless, as depicted, engine 70 is shown within computersystem/server 12. In general, engine 70 can be implemented asprogram/utility 40 on computer system 12 of FIG. 1 and can enable thefunctions recited herein. As further shown, engine 70 (in oneembodiment) comprises a rules and/or computational engine that processesa set (at least one) of rules/logic 72 and/or provides user privilegemanagement hereunder.

Along these lines, engine 70 may perform multiple functions similar to ageneral-purpose computer. Specifically, among other functions, engine 70may (among other things): access, in a computer storage device 82A-N,user profile(s) 84A-N associated with a prospective user 76 of a set ofcomputer resources 78A-N in the networked computing environment (e.g.,in response to a request 74 by prospective user 76 to utilize computerresources 78A-N), the user profile(s) 84A-N comprising informationpertaining to a skill level of the prospective user 76 with respect tothe set of computer resources 78A-N (e.g., certifications, education,experience, job titles, affiliations, exam results associated with theprospective user, etc.); determine an expertise level 88 (e.g., theexpertise level 88 ranging from beginner to expert) of the prospectiveuser 76 with respect to the set of computer resources 78A-N based on theinformation contained in the user profile(s) 84A-N (e.g., based on acomparison of the information to information of other users havingpreviously determined expertise levels); calculate a score 90 (e.g.,along on a predetermined numeric scale) based on the expertise level 88;provide a level of user privileges 92 to the set of computer resources78A-N commensurate with the score 90; configure a user interface 94 forthe prospective user based on the expertise level 88, the score 90,and/or the privilege level 92; modify the expertise level 88, the score90, and the level of user privileges in response to changes to theinformation.

As described above, embodiments of the present invention provide asystem that determines the expertise of the person who has requested theprovision/utilization of an resource in a cloud environment. Theexpertise of the person can be assessed through a plurality of resourcessuch as the person's job title from a company directory, socialnetworking data, a resume, a certification test/survey, or more. Oncethe user's expertise has been assessed, the privilege level granted tothe user as well as the user interface will be constructed in a way thatallows for either more or less advanced features to be available to theuser. Additionally, after the resources are provisioned, the system maycontinually evolve and adapt to the professional development of theuser, “unlocking” new capabilities or features commensurate with thegrowth of his or her experience and skills.

Illustrative Examples

Shown below are illustrative examples of how these teachings may beapplied. It is understood that these examples are intended to beillustrative only and are not intended to be limiting:

I. The skills of a DB2® database (DB2 and related terms are trademarksof International Business Machines Corporation in the United States andother countries) user evolve over time:

Assume that a recent graduate familiar with a DB2 system has earned abasic certification level and commenced a position with company “ABC.”Further assume that the user provisions a DB2 system from a cloud IaaSprovider, which in turn recognizes the user's skill level andpre-configures the virtual machine with minimal privileges. Some periodof time later, the user earns a higher level certification for DB2. Atthis point, the user's current DB2 system is automatically reconfiguredto include additional development tools. Any new DB2 systems heprovisions also include this expanded capability. Finally, assume thatthe user then goes on to earn an advanced level of certification. Inrecognition of this expertise, the system then escalates the user'sprivilege to include full control over the file systems, raw devices,and networking (to federated systems).

II. The skills of a project manager evolve over time:

Assume in this example that an entry level project manager (manager)joins a team at company “ABC.” Further assume that the manager has anentry level certification for project management. The manager thenprovisions a virtual desktop (or requests an account on a SaaS system)and the system grants her a license to use a standard edition of aproject management software program (with the base feature set). Aperiod of time later, assume that the manager advances to the “ProjectManagement Professional (PMP)” level, and the manager's virtual desktop(or SaaS) account is upgraded to “Professional Edition” of the projectmanagement software program.

In both examples above, software licenses for the end users areoptimized to expose the right software or virtual machine configurationfor the users commensurate with their skills and needs. This saves thecompany money, allocates the right resources to the right users, andprevents the end users from being overwhelmed or accidentally misusingthe features and permissions they have on their respective systems.

Referring now to FIG. 5, an illustrative flow diagram for an initialinstance configuration is shown. As depicted, a cloud serviceconsumer/user 100 interacts with a cloud service provider 102 whoseprivilege levels and access controls are managed by system 104 (e.g.,program 40 and/engine 70). Initially, a user profile is created thatcontains information about the user 100's professional skill set, suchas an enterprise directory entry, as to whether he is a certified systemadministrator or project manager. Along these lines, the profile mayinclude items such as certification history 106, job role 108,curriculum vitae (CV) 110, etc. In step P1, user 100 requests theprovisioning and/or consumption of an IaaS 112, PaaS 114 or SaaS 116resource from cloud provider 102. In step P2, cloud provider 102 willseek information/hints pertaining to the expertise level of user 100based on the information available about user 100. Some example sourcescould be: a company's employee database that could list job title,skills, and skill levels; area of the company in which user 100 works;position history of the user 100; certifications as provided in the user100's profile; public social networking data from various sitesproviding data such as activity on certain tech-specificforums/discussion boards; a copy of a resume of user 100; networkaffiliations of user 100; network expertise recommendations or tagsassociated with user 100; and/or quizzes or certification examsadministered either by an outside organization or by the cloud provider102 itself to assess the expertise level of user 100.

System 104 will analyze the user 100's profile information in order tomake a recommendation about how the requested resource(s) should beconfigured and what security level the user 100 should be granted. Onceall parameters/variables have been considered, system 104 may determinea probable level of expertise of user 100 and assign a score thereto(e.g., a numeric value, for example, on a scale of 0-10 where 0 is abeginner and 10 is an expert). The expertise level and suggestedprivilege level may be determined/calculated based on various rules suchas rules for certification 118, rules for job role 120, and/or rules forCV 122.

In step P3, configuration details will then be provided from system 104to provider 102 so that provider 102 may commenceprovisioning/allocating the resources for user 100 in step P4. System104 may also modify or suggest modifications to any user interfacesoperated by user 102 commensurate with user 100's expertise/skill level,access privileges, etc. System 104 may repeat some or all of these stepsby polling the data sources for user information, or in response topushed updates from those sources to keep the system continuallyoptimized to match the user's skills.

Referring to FIG. 6, a method flow diagram according to an embodiment ofthe present invention is shown. As depicted, in step S1, a user profileassociated with a prospective user of a set of computer resources in thenetworked computing environment is accessed. In step S2, an expertiselevel of the prospective user is determined with respect to the set ofcomputer resources based on the information contained in the userprofile. In step S3, a score is calculated based on the expertise level.In step S4, a level of user privileges is provided to the set ofcomputer resources commensurate with the score. In step S5, a userinterface is modified for the prospective user based on the score.

While shown and described herein as a user privilege managementsolution, it is understood that the invention further provides variousalternative embodiments. For example, in one embodiment, the inventionprovides a computer-readable/useable medium that includes computerprogram code to enable a computer infrastructure to provide userprivilege management functionality as discussed herein. To this extent,the computer-readable/useable medium includes program code thatimplements each of the various processes of the invention. It isunderstood that the terms computer-readable medium or computer-useablemedium comprise one or more of any type of physical embodiment of theprogram code. In particular, the computer-readable/useable medium cancomprise program code embodied on one or more portable storage articlesof manufacture (e.g., a compact disc, a magnetic disk, a tape, etc.), onone or more data storage portions of a computing device, such as memory28 (FIG. 1) and/or storage system 34 (FIG. 1) (e.g., a fixed disk, aread-only memory, a random access memory, a cache memory, etc.).

In another embodiment, the invention provides a method that performs theprocess of the invention on a subscription, advertising, and/or feebasis. That is, a service provider, such as a Solution Integrator, couldoffer to provide user privilege management functionality. In this case,the service provider can create, maintain, support, etc., a computerinfrastructure, such as computer system 12 (FIG. 1) that performs theprocesses of the invention for one or more consumers. In return, theservice provider can receive payment from the consumer(s) under asubscription and/or fee agreement and/or the service provider canreceive payment from the sale of advertising content to one or morethird parties.

In still another embodiment, the invention provides acomputer-implemented method for user privilege management. In this case,a computer infrastructure, such as computer system 12 (FIG. 1), can beprovided and one or more systems for performing the processes of theinvention can be obtained (e.g., created, purchased, used, modified,etc.) and deployed to the computer infrastructure. To this extent, thedeployment of a system can comprise one or more of: (1) installingprogram code on a computing device, such as computer system 12 (FIG. 1),from a computer-readable medium; (2) adding one or more computingdevices to the computer infrastructure; and (3) incorporating and/ormodifying one or more existing systems of the computer infrastructure toenable the computer infrastructure to perform the processes of theinvention.

As used herein, it is understood that the terms “program code” and“computer program code” are synonymous and mean any expression, in anylanguage, code, or notation, of a set of instructions intended to causea computing device having an information processing capability toperform a particular function either directly or after either or both ofthe following: (a) conversion to another language, code, or notation;and/or (b) reproduction in a different material form. To this extent,program code can be embodied as one or more of: an application/softwareprogram, component software/a library of functions, an operating system,a basic device system/driver for a particular computing device, and thelike.

A data processing system suitable for storing and/or executing programcode can be provided hereunder and can include at least one processorcommunicatively coupled, directly or indirectly, to memory elementsthrough a system bus. The memory elements can include, but are notlimited to, local memory employed during actual execution of the programcode, bulk storage, and cache memories that provide temporary storage ofat least some program code in order to reduce the number of times codemust be retrieved from bulk storage during execution. Input/outputand/or other external devices (including, but not limited to, keyboards,displays, pointing devices, etc.) can be coupled to the system eitherdirectly or through intervening device controllers.

Network adapters also may be coupled to the system to enable the dataprocessing system to become coupled to other data processing systems,remote printers, storage devices, and/or the like, through anycombination of intervening private or public networks. Illustrativenetwork adapters include, but are not limited to, modems, cable modems,and Ethernet cards.

The foregoing description of various aspects of the invention has beenpresented for purposes of illustration and description. It is notintended to be exhaustive or to limit the invention to the precise formdisclosed and, obviously, many modifications and variations arepossible. Such modifications and variations that may be apparent to aperson skilled in the art are intended to be included within the scopeof the invention as defined by the accompanying claims.

What is claimed is:
 1. A computer-implemented method for managing userprivileges for computer resources in a networked computing environment,comprising: accessing, in a computer storage device, a user profileassociated with a prospective user of a set of computer resources in thenetworked computing environment, the user profile comprising informationpertaining to a skill level of the prospective user with respect to theset of computer resources; determining an expertise level of theprospective user with respect to the set of computer resources based onthe information contained in the user profile; calculating a score basedon the expertise level; and providing a level of user privileges for theset of computer resources commensurate with the score.
 2. Thecomputer-implemented method of claim 1, the information comprising atleast one of the following: certifications, education, experience, jobtitles, affiliations, or exam results associated with the prospectiveuser.
 3. The computer-implemented method of claim 2, the expertise levelbeing determined based on a comparison of the information to informationof other users having previously determined expertise levels.
 4. Thecomputer-implemented method of claim 1, further comprising configuring auser interface for the prospective user based on the score.
 5. Thecomputer-implemented method of claim 1, further comprising modifying theexpertise level, the score, and the level of user privileges in responseto changes to the information.
 6. The computer-implemented method ofclaim 1, the expertise level ranging from beginner to expert, and thescore being based on a predetermined numeric scale.
 7. Thecomputer-implemented method of claim 1, the set of computer resourcescomprising cloud computer resources and the networked computingenvironment comprising a cloud computing environment.
 8. A system formanaging user privileges for computer resources in a networked computingenvironment, comprising: a bus; a processor coupled to the bus; and amemory medium coupled to the bus, the memory medium comprisinginstructions to: access, in a computer storage device, a user profileassociated with a prospective user of a set of computer resources in thenetworked computing environment, the user profile comprising informationpertaining to a skill level of the prospective user with respect to theset of computer resources; determine an expertise level of theprospective user with respect to the set of computer resources based onthe information contained in the user profile; calculate a score basedon the expertise level; and provide a level of user privileges for theset of computer resources commensurate with the score.
 9. The system ofclaim 8, the information comprising at least one of the following:certifications, education, experience, job titles, affiliations, or examresults associated with the prospective user.
 10. The system of claim 9,the expertise level being determined based on a comparison of theinformation to information of other users having previously determinedexpertise levels.
 11. The system of claim 8, the memory medium furthercomprising instructions to configure a user interface for theprospective user based on the score.
 12. The system of claim 8, thememory medium further comprising instructions to modify the expertiselevel, the score, and the level of user privileges in response tochanges to the information.
 13. The system of claim 8, the expertiselevel ranging from beginner to expert, and the score being based on apredetermined numeric scale.
 14. The system of claim 8, the set ofcomputer resources comprising cloud computer resources and the networkedcomputing environment comprising a cloud computing environment.
 15. Acomputer program product for managing user privileges for computerresources in a networked computing environment, the computer programproduct comprising a computer readable storage media, and programinstructions stored on the computer readable storage media, to: access,in a computer storage device, a user profile associated with aprospective user of a set of computer resources in the networkedcomputing environment, the user profile comprising informationpertaining to a skill level of the prospective user with respect to theset of computer resources; determine an expertise level of theprospective user with respect to the set of computer resources based onthe information contained in the user profile; calculate a score basedon the expertise level; and provide a level of user privileges for theset of computer resources commensurate with the score.
 16. The computerprogram product of claim 15, the information comprising at least one ofthe following: certifications, education, experience, job titles,affiliations, or exam results associated with the prospective user. 17.The computer program product of claim 16, the expertise level beingdetermined based on a comparison of the information to information ofother users having previously determined expertise levels.
 18. Thecomputer program product of claim 15, further comprising programinstructions stored on the computer readable storage media to configurea user interface for the prospective user based on the score.
 19. Thecomputer program product of claim 15, further comprising programinstructions stored on the computer readable storage media to modify theexpertise level, the score, and the level of user privileges in responseto changes to the information.
 20. The computer program product of claim15, the expertise level ranging from beginner to expert, and the scorebeing based on a predetermined numeric scale.
 21. The computer programproduct of claim 15, the set of computer resources comprising cloudcomputer resources and the networked computing environment comprising acloud computing environment.
 22. A method for deploying a system formanaging user privileges for computer resources in a networked computingenvironment, comprising: providing a computer infrastructure beingoperable to: access, in a computer storage device, a user profileassociated with a prospective user of a set of computer resources in thenetworked computing environment, the user profile comprising informationpertaining to a skill level of the prospective user with respect to theset of computer resources; determine an expertise level of theprospective user with respect to the set of computer resources based onthe information contained in the user profile; calculate a score basedon the expertise level; and provide a level of user privileges for theset of computer resources commensurate with the score.